CODEWITHSUNDEEP
c++assemblyx86
Taylor Sasser
Taylor Sasser

Reputation: 33

Using C++ namespaces inside of inline assembly code

I just have a quick question on if this will work on or not.

void __declspec(naked) HookProcessEventProxy() {
__asm {
    mov CallObjectPointer, ecx
        push edx
        mov edx, dword ptr[esp + 0x8]
        mov UFunctionPointer, edx
        mov edx, dword ptr[esp + 0xC]
        mov ParamsPointer, edx
        pop edx
        pushfd
        pushad

}
ProcessEventProxy();
__asm {
    popad
        popfd
        jmp[Pointers::OldProcessEvent] // This is the line in question.
   }
}

Does the Pointers namespace define to go to the Pointers::OldProcessEvent or will it go to the ProcessEvent I have inside of my DLLMain?
The HookProcessEventProxy is inside my DLLMain.

Upvotes: 3

Views: 477

Answers (1)

Cody Gray
Cody Gray

Reputation: 244843

From the vendor-specific extensions in the code, it seems that you are compiling this on MSVC. If so, then this is not a problem. The inline assembler understands C++ scoping rules and identifiers.

You can easily verify this for yourself by analyzing the object code produced by the compiler. Either disassemble the binary using dumpbin /disasm, or throw the /FA switch when running the compiler to get a separate listing. What you'll see is that the compiler emits your inline assembly in a very literal fashion:

?HookProcessEventProxy@@YAXXZ PROC                  ; HookProcessEventProxy, COMDAT
    mov     DWORD PTR ?CallObjectPointer@@3HA, ecx  ; CallObjectPointer
    push    edx
    mov     edx, DWORD PTR [esp+8]
    mov     DWORD PTR ?UFunctionPointer@@3HA, edx   ; UFunctionPointer
    mov     edx, DWORD PTR [esp+12]
    mov     DWORD PTR ?ParamsPointer@@3HA, edx      ; ParamsPointer
    pop     edx
    pushfd
    pushad
    call    ?ProcessEventProxy@@YAXXZ               ; ProcessEventProxy
    popad
    popfd
    jmp     ?OldProcessEvent@Pointers@@YAXXZ        ; Pointers::OldProcessEvent
?HookProcessEventProxy@@YAXXZ ENDP                  ; HookProcessEventProxy

The above listing is from the file generated by the compiler when the /FA switch is used. The comments out to the right indicate the corresponding C++ object.

Note that you do not need the brackets around the branch target. Although the inline assembler ignores them, it is confusing to include them. Just write:

jmp Pointers::OldProcessEvent

Upvotes: 2

Related Questions